Easy setup: Container-less Tailscale as reverse proxy

[Perseus333]

Easily set up Nextcloud AIO docker container and serve it through a system-wide (non-containerized) Tailscale instance. An alternative to #5439

Motivation
This guide was created out of frustration for the lack of any general, simple, well documented guide for this setup. The most referenced one ¹, formerly even in the official docs, complicates the process by containerizing Tailscale. While professional, it adds a lot of unnecessary complexity and potential errors that are avoidable for most users.

Note

If you encounter any issues during the process, you can find a troubleshooting section at the end with instructions for debugging.

1. Configuring Tailscale Account

You will need to have a Tailnet already set up, and Tailscale installed and running on both your client and your server. For a quick intro, see: Tailscale quickstart (tailscale.com)

Once you have your Tailscale set up both on your server and your client, you need to enable the following configs in Tailscale from the DNS Tab (tailscale.com):

1. Make sure Magic DNS is enabled
2. Enable HTTPS Certificates

2. Installing Nextcloud AIO

Copy the contents from the default compose.yaml - Nextcloud AIO (github.com).

On your server, go to the directory where you will configure the Nextcloud AIO container and create a docker compose file (e.g.: ~/docker/nextcloud/compose.yaml). In there, paste the contents of the compose.yaml from their GitHub.

Inside that file, add the proper DNS resolvers, and uncomment the environment section and the two properties shown below.

  services:
   nextcloud-aio-mastercontainer:
+    dns:
+      - 100.100.100.100  # Tailscale Magic DNS
+      - 127.0.0.53       # Host's DNS resolver
+      - 1.1.1.1          # Fallback DNS
     environment:
       APACHE_PORT: 11000
       APACHE_IP_BINDING: 127.0.0.1

In the compose.yaml directory, run the container with:

docker compose up -d

3. Setting up a domain

Nextcloud will require a proper domain with HTTPS. You can serve a domain from your machine serve using the following command. Notice the http://.

tailscale serve --bg http://127.0.0.1:11000

If you're running Systemd it is a good idea to set this as a service on startup, so create the service by pasting the following content into /etc/systemd/system/tailscale-serve-nextcloud.service:

[Unit]
Description=Serve Nextcloud backend through Tailscale
After=network.target

[Service]
ExecStart=tailscale serve http://127.0.0.1:11000
Type=simple

[Install]
WantedBy=multi-user.target

And enable it and check that it's running

systemctl enable --now tailscale-serve-nextcloud.service
tailscale serve status

4. Nextcloud Setup Wizard

On your client, which should be running Tailscale and having its DNS at 100.100.100.100 (or any other valid Tailscale IP). Open your browser and open the Tailscale IP address of your server followed by port 8080. Also do not forget to prepend https://. E.g.: https://100.123.145.67:8080. You can get its IP from the Tailscale dashboard (tailscale.com) and choosing the one that corresponds with the machine that is running the container.

Tip

• Make sure that no other service is using port 8080 on your server
• If you hit any DNS related issue, try running resolvectl status from the client, you should see Tailscale with "Default Route" as yes.

You should arrive at the Nextcloud setup page, there follow the Nextcloud instructions:

1. Copy the passphrase (and store it)
2. Log in, and paste the passphrase

Tip

If you want to use a custom Tailscale domain name, change it before submitting the domain on Nextcloud. Otherwise things will break, and you might be better off restarting the Nextcloud containers from scratch. You can change it by clicking the "Rename Tailnet" button at DNS (tailscale.com)

It will ask you for the domain of your server, the domain will be the one that we have set up earlier.

If you can get it from:

tailscale serve status

Alternatively, regardless of what you used, it will be visible via the Tailscale Dashboard (tailscale.com). Click on the IP address, and copy the one that is formatted like: name.tail0a12b3.ts.net, then paste it on the domain field.

Note

The Tailscale domain is a very convenient way of having a certified HTTPS domain that only you can access. We need to use a domain since Nextcloud requires it.

Afterwards, continue the setup wizard: select your desired containers, set up the TZ, the backup location, and finally "Download and start containers".

Once that finishes setting up, try opening the domain that you configured Nextcloud to run on in your web browser, and you should see yourself in the login page!

Troubleshooting

• docker logs CONTAINER might show some errors

• If you're having connectivity issues check:

  • docker ps for docker exposed ports
  • ss -tlnp for seeing which ports are being used
  • tailscale status both on client and server (just in case)
  • tailscale serve status from the server
  • dig DOMAIN to see if the DNS resolves the domain
  • curl -v ADRESS from both client and server. (add -k flag in case you're dealing with https issues)

• If you experience issues with Collabora, specifically a CODE related error, try disabling ports 80 and 8443 from the docker compose.
  Thanks to @ilblasco78 for the solution in their comment

• For issues related to port 443 not being reachable, try modifying the docker compose file as suggested by @faustus1005 in their comment:

  • Uncomment the explicit ports
  • Set the APACHE_IP_BINDING to 0.0.0.0
  • Set SKIP_DOMAIN_VALIDATION=true, note that this is a last resort solution.

ports:
  # - 80:80
  # - 8443:8443
   APACHE_IP_BINDING: 0.0.0.0
   SKIP_DOMAIN_VALIDATION: true

• If you don't receive anything from the client in your browser but logs show no errors, and curl works both from the client and the server, check that your browser isn't overwriting your DNS and uses the system default.

Footnotes

1. Tailscale (and Caddy as a sidecar) Reverse Proxy #5439 (github.com) ↩

[szaimen]

Thanks a lot for this great guide @Perseus333 😊

FYI: you could link to the compose file directly like so for example: https://raw.githubusercontent.com/nextcloud/all-in-one/refs/heads/main/compose.yaml

[Perseus333]

Thanks a lot for this great guide @Perseus333 😊

FYI: you could link to the compose file directly like so for example: https://raw.githubusercontent.com/nextcloud/all-in-one/refs/heads/main/compose.yaml

Done in the latest edit.

[Perseus333]

Another thing: are you sure APACHE_IP_BINDING: 127.0.0.1 is not working with tailscale serve running on the server as systemd service?

To be honest, I didn't even try. I know that 127.0.0.1 doesn't work in certain situations so I went with the safe 0.0.0.0. Are there any security vulnerabilities for using 0.0.0.0 instead of 127.0.0.1?

Last thing: docker compose up -d should usually be enough, no?

Yeah that's what I thought but since the other guide used that command I thought it might be the "better" way to do it.

[szaimen]

Another thing: are you sure APACHE_IP_BINDING: 127.0.0.1 is not working with tailscale serve running on the server as systemd service?

To be honest, I didn't even try. I know that 127.0.0.1 doesn't work in certain situations so I went with the safe 0.0.0.0. Are there any security vulnerabilities for using 0.0.0.0 instead of 127.0.0.1?

I think 127.0.0.1 is better if it works (did not test myself but it should.)

Last thing: docker compose up -d should usually be enough, no?

Yeah that's what I thought but since the other guide used that command I thought it might be the "better" way to do it.

No, I would personallly prefer docker compose up -d

[Perseus333]

I think 127.0.0.1 is better if it works (did not test myself but it should.)

It did work.

No, I would personallly prefer docker compose up -d

Ok, the guide is now updated accordingly. Thanks for the feedback!

[szaimen]

Cool! Glad that I could help!

[mfathi91]

Thanks for the guideline. I have an issue during submitting the domain name of Nextcloud during the wizard setup.

• Client can correctly open Nextcloud's wizard by entering server tailscale's ip address.
• Both client and server are able to ping the server via its dns name: ping machine.tail0a12b3.ts.net. Also dig works properly.
• However, in Nextcloud wizard when I want to submit the domain name to machine.tail0a12b3.ts.net, Nextcloud complains that DNS config is not set for this domain or the domain is not a valid domain! (It was found to be set to '')

Note:

• my server is a local device connected to my router, so it doesn't have a public static IP address.
• MagicDNS and HTTPS Certificates are indeed enabled on Tailscale.

Is this something that can be fixed?
Thanks

[mfathi91]

I ended up fixing this issue by adding dns section to the docker compose.yaml:

ports:
    ...

dns:
    - 100.100.100.100  # Tailscale Magic DNS
    - 127.0.0.53       # Host's DNS resolver
    - 1.1.1.1          # Fallback DNS

environment:
    ....

In addition, in order to be able to submit the domain, one must already execute this command on the server, before the Nextcloud wizard: tailscale serve --bg http://127.0.0.1:11000

[Perseus333]

You're right. I think that the key part was instead executing the tailscale serve before submitting the domain. The DNS shouldn't need to be specified in the docker compose if it's the default dns of your machine. I will update the guide accordingly. Apologies for the incorrect instructions, and thanks for the feedback!

[ChrisBerti]

I was getting that error, even after following the troubleshooting steps. It seems like it matters where in the .yaml file you put the dns section. When putting it at the top like in the guide it doesn't work. But when sandwiching it in between ports and environment it worked.
Or maybe it was something else entirely and I accidentally fixed it by moving the addition.

[handle-your-set]

I'll try this later today. But to me it makes perfect sense, @mfathi91 . That was my thought process when I tried a while back. That the "serve" happened too late in the process, for the domain validation to take place.

[balents]

Hi,

I've tried to follow this guide. I reach step 3 and receive the message:

The domain is not reachable on Port 443 from within this container. Have you opened port 443/tcp in your router/firewall? If yes is the problem most likely that the router or firewall forbids local access to your domain. You can work around that by setting up a local DNS-server.

I checked my router and tried to open port 443 but it says the external port is already being used (which is true - I have it enabled for another server which runs immich). How can I proceed?

Thanks,

Leon

[Perseus333]

Hi,

Is Immich running also in the same tailscale domain? If not, by running first Tailscale serve (now step 3) and then trying to input that into the Nextcloud wizard should solve the issue.

Another option is to use TsDProxy (github.com), which creates a Tailscale machine for each docker service that you have (assuming that Immich is in a docker container). I've heard good things about it, but I haven't used it myself personally.

Update: I've tried with TsDProxy and it works very well and is very easy to set up. END OF EDIT

Alternatively, if you're running them both outside Tailscale, you can use a reverse proxy like NGINX or Caddy to route each service into a separate subdomain, however, that cannot be done on Tailscale and either requires buying a domain or self-signing certs and using local DNS records. The former being easier but non-free, and the latter being a bit messy.

I hope this solves the issue,

Perseus

[Perseus333]

Hi, as of the latest update, a section of the guide on how to do it with TsDProxy has been added. It might be more straightforward for your situation, if you already have Immich on your Tailscale machine.

[balents]

Hi @Perseus333 - thanks so much for the help! I did the tailscale serve and indeed after that it worked. Seems to have been that simple. Much appreciated. - Leon

[Perseus333]

@balents That's awesome! I'm glad I could help.

[handle-your-set]

I am grateful and glad that you put this up. It was something that was driving me crazy, and was learning as I go. This was along the lines of the solution my brain hashed out. I just had to up my knowledge a little bit. Thanks for a dope ass guide!, the effort is very much appreciated, @Perseus333 !

[pfr-dev]

Thank you. This guide helped a lot.

I went with option B and installed TsDProxy which was relatively easy and works great. Awesome stuff! 🙏

[murphn]

Hi,

I followed this guide with Option A, but when i get to the domain validation i get this error:
Domain does not point to this server or the reverse proxy is not configured correctly. See the mastercontainer logs for more details. ('sudo docker logs -f nextcloud-aio-mastercontainer')

The logs show

NOTICE: PHP message: The response of the connection attempt to "https://redacted.redacted.ts.net:443" was: 
NOTICE: PHP message: Expected was: 940862536e9fdffeb1239c63dbc1cd2cd771d19f976ba76d
NOTICE: PHP message: The error message was: TLS connect error: error:0A0000C6:SSL routines::packet length too long
NOTICE: PHP message: Please follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#how-to-debug in order to debug things

Tailscale serve status shows its pointing corretly, and when i use dig on my domain i get the correct ip.

the only difference in my compose file is that i added:

dns:
    - 100.100.100.100  # Tailscale Magic DNS
    - 127.0.0.53       # Host's DNS resolver
    - 1.1.1.1          # Fallback DNS

As suggested above to avoid another error i was getting when validating the domain.

Any idea why i would be getting this error?

Thank you!

[Perseus333]

Hi, without more info it's a bit hard to know exactly what might be the error. However, from the past, when I got the TLS error of "packet length too long" it was because something was trying to connect using http and the other end was listening for https. It could be other things tho, but I don't know.

Here's what I would do to debug it:

1. Examine the output of curl -vk https://yourdomain
2. Try following the link provided in the logs to debug the issue
3. Ensure that you have HTTPS enabled on Tailscale
4. Ensure that the Tailscale serve command you ran said http:// and that the domain is served on https://. You may try adding the -https=443 flag to tailsale serve just in case.

Besides this, I don't know what else might help. Feel free to publish the output of the aforementioned commands if it isn't solved.

Best of luck!

[murphn]

Thanks for your help, the output of curl -vk gave me the answer... a forgotten container that was using the same port.

[Perseus333]

Thanks for your help, the output of curl -vk gave me the answer... a forgotten container that was using the same port.

Awesome!

[nicelifeBS]

I have really trouble getting this to work. I am using tailscale serve --bg http://127.0.0.1:11000 and uncommented the two lines in the compose.yml for the apache port and ip binding. The server is on the tailnet with IP and domain but if I use the ip and port 8080 I only get:

BAD REQUEST
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

I tried to find anything obvious going through the debugging steps but I could find anything.
Debugging output:

nextcloud:~/docker$ ss -tlnp
State       Recv-Q      Send-Q                          Local Address:Port              Peer Address:Port      Process
LISTEN      0           4096                                  0.0.0.0:80                     0.0.0.0:*
LISTEN      0           128                                   0.0.0.0:22                     0.0.0.0:*
LISTEN      0           4096                            <tailscaleip>:45284                  0.0.0.0:*
LISTEN      0           4096                                  0.0.0.0:8443                   0.0.0.0:*
LISTEN      0           4096                            <tailscaleip>:443                    0.0.0.0:*
LISTEN      0           4096                                  0.0.0.0:8080                   0.0.0.0:*
LISTEN      0           4096              [fd7a:115c:a1e0::f001:aa6b]:443                       [::]:*
LISTEN      0           4096                                     [::]:80                        [::]:*
LISTEN      0           128                                      [::]:22                        [::]:*
LISTEN      0           4096                                     [::]:8443                      [::]:*
LISTEN      0           4096                                     [::]:8080                      [::]:*
LISTEN      0           4096              [fd7a:115c:a1e0::f001:aa6b]:57238                     [::]:*


nextcloud:~/docker$ curl -vk <tailscaleip>
*   Trying <tailscaleip>:80...
* Connected to <tailscaleip> (<tailscaleip>) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: <tailscaleip>
> User-Agent: curl/8.14.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Location: https://<tailscaleip>/
< Server: Caddy
< Date: Thu, 18 Sep 2025 20:37:45 GMT
< Content-Length: 0
<
* Connection #0 to host <tailscaleip> left intact


nextcloud:~/docker$ dig nextcloud.tailscale-domain.ts.net

; <<>> DiG 9.20.13 <<>> nextcloud.tailscale-domain.ts.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 207
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nextcloud.tailscale-domain.ts.net. IN	A

;; ANSWER SECTION:
nextcloud.tailscale-domain.ts.net. 600 IN	A	<tailscaleip>

;; Query time: 0 msec
;; SERVER: 100.100.100.100#53(100.100.100.100) (UDP)
;; WHEN: Thu Sep 18 16:38:52 EDT 2025
;; MSG SIZE  rcvd: 96

https and magic dns are active for my tailnet (I am using that successfully for other machines)
Any help would be appreciated. Thanks in advance!

[lazycodeman]

Okay... this was weird. I disabled port 80 and 8443 and then explicitly did https://<tailscaleip>:8080 in the client browser and then I got the certificate warning page in the browser and after accepting that the Nextcloud setup page showed up.

I have just have the same issue with option B. I think the solution is using "HTTPS" instead of "HTTP".

[prathamPote]

I'm having the same problem, How did u get around it?, arent ports 80 8443 being used by nextcloud container?. I have this currently:
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6aa0e95d1f3a ghcr.io/nextcloud-releases/all-in-one:latest "/start.sh" 10 minutes ago Up 10 minutes (healthy) 80/tcp, 8443/tcp, 9000/tcp, 0.0.0.0:8080->8080/tcp, [::]:8080->8080/tcp nextcloud-aio-mastercontainer
b5d45d2892ef almeidapaulopt/tsdproxy:latest "/tsdproxyd" 11 minutes ago Up 11 minutes (healthy) 0.0.0.0:9091->8080/tcp, [::]:9091->8080/tcp tsdproxy-tsdproxy-1

[prathamPote]

update: i got it working with these following labels for tdsproxy, apprantly you have to specifiy the container_port for the reverse proxy explicitly:

labels:
- "tsdproxy.enable=true"
- "tsdproxy.ephemeral=false"
- "tsdproxy.tlsvalidate=false"
- "tsdproxy.scheme=https"
- "tsdproxy.container_port=11000"

[nicelifeBS]

I switched over to use the linuxserver.io version of Nextcloud as this is more the thing I need and less hassle to set up.

[Cyberhead21]

I have done everything that there's to do this comment and I still can't get my TsDProxy to work. I even have attempted to set `networks: ["tsdproxy_default"], however, this hasn't proved enough for me to solve my problem.

There's no point in using this container if I can only connect using the .local domain and the IP address of the server where the container is installed.

The difference is, my port 80 doesn't work, even when I explicitly disable the 80 and 8443 ports.

[BenjaminLesne]

Thank you for this guide, it helped me a lot!

I ran into some issues though:

• I had to comment the lines 80:80 and 8443:8443 in the ports section otherwise compose up throw an error (port already in use)
• I had to add a dns section as suggested in this comment ortherwise NextCloud won't accept my tailnet domain

If anyone is interested here is a repo with my compose.yaml and the PR with every change I made to the default compose.yaml from the NextCloud repo

Hopefully that helps!

[Perseus333]

Hi, that's a great guide. However I would encourage that you to read the #Troubleshooting section at the end of the guide as it already addresses the changes that you made, potentially saving you any time you had to spend debugging. It is also denoted by a markdown callout/alert at the very beginning of the guide.

[Enigma2k8]

I tried to open a .docx which failed. Does this setup for Option A allow Collabora to work properly or did I do something wrong?

"Document loading failed
Failed to establish socket connection or socket connection closed unexpectedly. The reverse proxy might be misconfigured, please contact the administrator. For more info on proxy configuration please checkout https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html"

ChatGPT is telling me tailscale serve struggles with websockets and I should set up caddy instead since I also want to run immich. Thoughts?

[Perseus333]

I'm not sure about Collabora (don't have it installed), but I guess you could try using a Reverse Proxy like Caddy, although I'd recommend using TSDProxy (option B) as it's far easier to integrate with tailscale.

[lukecheny]

@Perseus333 I am running into this same issue now while trying to access .docx files, where is the option B you are referencing here in your comment? I'd like to take a crack at using TSDProxy

[Perseus333]

@lukecheny It's the second latest version in this discussion revision history. If you go to "edited" at the top of the discussion, and click the second version, aka the one after (above) szaimen's, you should find that.

[FatPademeleon]

@Enigma2k8 Have you found a solution to this problem? I have the same issue, and I'm struggling to make it work.

[Cyberhead21]

I have followed the guide and decided on using the option B: Tailscale Docker Proxy, as it allows me to assign a name to my Nextcloud container.

However, I have an issue connecting to a Nextcloud container using a Tailscale IP address. When I connect to it using the ports 80 and 443, I receive the SSL_ERROR_INTERNAL_ERROR_ALERT error. Connecting to port 8080 is impossible.

Connecting directly to my Nextcloud instance at port 8080, however, works with a self-signed certificate, but given the Nextcloud's requirement for a domain, it's impractical to have such a setup.

Had anyone also had a similar issue?

[Perseus333]

The 8080 setup wizard does run without HTTPS, that's totally fine. The Nextcloud instance, once set up, will be over HTTPS.

[Cyberhead21]

The 8080 setup wizard does run without HTTPS, that's totally fine. The Nextcloud instance, once set up, will be over HTTPS.

I didn't clarify that, but in "connecting directly", I meant using the LAN IP address, because the Tailscale IP doesn't work. Sorry for the inconvenience I caused.

AFAIK, TsDProxy doesn't map ports 1:1 to these in the container, instead acting as a HTTPS reverse proxy (as it's in its name), which complicates the effort to debug issues. Given that I'm only a beginner when it comes to TsDProxy's reading source code, any help would be appreciated.

[nefariouslegion]

Hi, I've been trying for about 2 hours to get this to work on my NAS but no matter what I try I always get this error when trying Submit my tailscale domain name

The log seems to be missing some information because it outputs this:
2025-10-06T00:39:58.018523714Z NOTICE: PHP message: The response of the connection attempt to "https://[redacted].[redacted].ts.net:443" was: 2025-10-06T00:39:58.018580009Z NOTICE: PHP message: Expected was: 63fcfc3f67ce6719d0313857533240c094571764f389a671 2025-10-06T00:39:58.018591600Z NOTICE: PHP message: The error message was: 2025-10-06T00:39:58.018595634Z NOTICE: PHP message: Please follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#how-to-debug in order to debug things!
Kind of strange that some of those lines just show "...was: " and just blank.

I'm using tsdproxy. I've used it with many other containers with no issues so I don't know why it's not working with nextcloud.

Things I've tried:

• Making sure to uncomment the two apache related lines in the compose file as instructed
• Adding the DNS lines mentioned here: Easy setup: Container-less Tailscale as reverse proxy #6817 (reply in thread)
• Using these lines in the nextcloud master container service to attempt to get tsdproxy working

  labels:
      tsdproxy.enable: "true"    
      tsdproxy.scheme: "https"      
      tsdproxy.name: "nextcloud"
      tsdproxy.container_port: "11000"
      tsdproxy.ephemeral: "false" 

• Tried commenting out the "tsdproxy.scheme: "https" line.
• Tried commenting out the "tsdproxy.container_port: "11000" line
• Tried changing the "tsdproxy.container_port: "11000" line to port 8080 instead
• Made sure I can ping the nextcloud tailscale URL successfully
• Tried entering the nextcloud tailscale URL in a browser and it presents this error

• In the Tailscale admin console I've made sure both MagicDNS and HTTPS are enabled
• Looked through the debugging guide linked in the log output

I have no idea what else to try. I have 14 other containers all working perfectly in TSDProxy so I don't understand why Nextcloud won't work.

Any help would be greatly appreciated!

[nefariouslegion]

The following lines from the reverse proxy guide are probably related

Since the Apache container gets created by the mastercontainer, there is NO way to provide custom docker labels or custom environmental variables for the Apache container. So please do not attempt to do this because it will fail!

Traefik [...] Using docker labels won't work because of the nature of the project.

But if it's not possible then my question would be how do other people seemingly have it working?

[Perseus333]

@Perseus333 based on the above conments, I dont think that TSDProxy works with AIO. Have you verified if it does on your system?

Yes I have, it worked on my system, alongside other services. However, I think it might be best if I removed the option from the list given the issues that it's causing. I initially included it as it was the way that I used instead of Tailscale as I found adding more services that required their own reverse proxy, and I couldn't have more than one Tailscale serve. @szaimen do you think it's better if I remove it from the guide?

[szaimen]

@szaimen do you think it's better if I remove it from the guide?

Yes I'd say so

[Perseus333]

@szaimen do you think it's better if I remove it from the guide?

Yes I'd say so

Done. Hopefully there will be less issues.

[mxreyer]

Currently, reverse-proxy.md references this guide, which works great for a server or VM with a single web service. I believe that many people will want to install other docker containers alongside NC AIO and integrate them into their tailnet. As per the above, this is not supported by this guide any longer.

Personally, I had luck with the two setups with tsdproxy from the comments #6817 (reply in thread) and #6817 (reply in thread) below. However, I eventually decided not to use tsdproxy because it requires full access to the docker socket.

The more involved setup #5439 (that this guide tries to avoid) worked well and supports multiple docker containers natively. I do agree that the approach discussed here is much simpler if only NC AIO is supposed to be run on the server. But since reverse-proxy.md specifically recommends Tailscale to run NC AIO, I feel that reverse-proxy.md should suggest what to do in a multi-container scenario. (Potentially referencing #5439, which is currently not linked?)

[nefariouslegion]

Bit of a dumb question here. You mention:

You will need to have a Tailnet already set up, and Tailscale installed and running on both your client and your server.

I just want to clarify something though. I have my NAS as the server and nextcloud-aio will be running in a docker container on the NAS. So is the "client" you mentioned just referring to any of my devices that I want to be able to connect to Nextcloud? I do already have tailscale already setup on all my devices and can successfully access about 13 other docker containers on the NAS with it. Based on my understanding I did the tailscale serve on the NAS and added it's service to the NAS systemd. Is this correct?

I'm asking because I'm having an issue. I followed the recently revised guide using what used to be called Option A. When I get to the part of the Nextcloud AIO setup where I enter the tailscale domain name and check it I get this error

And when I go to the logs as suggested in that error I see this:
NOTICE: PHP message: The response of the connection attempt to "https://[redacted].taildc[redacted].ts.net:443" was: NOTICE: PHP message: Expected was: 4ba1ea2ba82a8abedb2e16a47688428f6909617be1ccb376 NOTICE: PHP message: The error message was: SSL certificate problem: self-signed certificate NOTICE: PHP message: Please follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#how-to-debug in order to debug things!

I do have both Magic DNS and HTTPS enabled in the tailscale dashboard. So I'm not sure if I've setup something else wrong or what exactly is causing the error?

EDIT: Just to add, when I load my tailscale domain name in a browser it does bring up a page that shows the string expected by nextcloud-aio. But for some reason nextcloud-aio's log says the response was just blank.

[nefariouslegion]

EDIT: I added the variable to skip the domain check and everything seems to be working!

Bit of a dumb question here.

There are no dumb questions. - Master Oogway or something

is the "client" you mentioned just referring to any of my devices that I want to be able to connect to Nextcloud

Yes.

I did the tailscale serve on the NAS and added it's service to the NAS systemd.

Yes, that is also correct.

Regarding you issue, you seem to be having something similar to what others (the previous comment) had. As for what causes that I'm not quite sure. Have you ran all of the commands from the "Troubleshooting" section of the guide? Do they tell you something that you didn't know? I would also recommend checking the logs from the (Nextcloud-)Apache container.

I hope that something about this helps. Feel free to submit any of the logs for further debugging.

Good luck!

Ha that linked comment was also from me when I attempted the Option B that used to be in the guide lol.

As for the troubleshooting commands I can see the ports (11000 and 8081 on host mapped to 8080 in the container) are both active. 11000 by the domaincheck container and the 8081->8080 in the mastercontainer. Tailscale status shows all my clients, the server (NAS) and other containers using tsdproxy. The tailscale serve status shows the domain name of my server (HTTPS) with a proxy to http://127.0.0.1:11000. I've never used the Dig command before but when I run it with my server's tailscale domain it correctly resolves the tailscale IP address. As for the curl command it connects to the tailscale IP and port 80. Then shows a "Temporary Redirect" to http://[redacted].taildc[redacted].ts.net:9999. That address and port is the URL to reach the NAS's own UI remotely. After that redirect it just shows this:

As for apache logs I don't have any since I haven't reached the stage that creates that container. I'm stuck at the step before it trying to pass the domain check. I could set the environment variable to skip it but I'd prefer to make sure it's working properly.

[Perseus333]

Hi, I finally found a solution to the TSDProxy issue that you were having! here is the config that worked for me:

Files and Configs

File tree:

.
├── nextcloud-aio
│   └── compose.yml
├── tsdproxy
│   ├── compose.yml
│   ├── config
│   │   ├── services.yaml
│   │   └── tsdproxy.yaml
│   └── keys
│       └── ts-tsdproxy.txt

Nextcloud-AIO docker compose.yml:

services:
  nextcloud-aio-mastercontainer:
    image: ghcr.io/nextcloud-releases/all-in-one:latest # This is the container image used. You can switch to ghcr.io/nextcloud-releases/all-in-one:beta if you want to help testing new releases. See https://github.com/nextcloud/all-in-one#how-to-switch-the-channel
    init: true # This setting makes sure that signals from main process inside the container are correctly forwarded to children. See https://docs.docker.com/reference/compose-file/services/#init
    restart: always # This makes sure that the container starts always together with the host OS. See https://docs.docker.com/reference/compose-file/services/#restart
    container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
      - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
    # network_mode: bridge # This adds the container to the same network as docker run would do. Comment this line and uncomment the line below and the networks section at the end of the file if you want to define a custom MTU size for the docker network
    # networks: ["nextcloud-aio"]
    ports:
      - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      - 8080:8080 # This is the AIO interface, served via https and self-signed certificate. See https://github.com/nextcloud/all-in-one#explanation-of-used-ports
      - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
    # security_opt: ["label:disable"] # Is needed when using SELinux. See https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled
    dns:
      - 100.100.100.100
    environment: # Is needed when using any of the options below
      # AIO_DISABLE_BACKUP_SECTION: false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
      APACHE_PORT: 11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      APACHE_IP_BINDING: 0.0.0.0 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      APACHE_ADDITIONAL_NETWORK: tsdproxy_net # (Optional) Connect the apache container to an additional docker network. Needed when behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) running in a different docker network on same server. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # BORG_RETENTION_POLICY: --keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
      # COLLABORA_SECCOMP_DISABLED: false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
      # FULLTEXTSEARCH_JAVA_OPTIONS: "-Xms1024M -Xmx1024M" # Allows to adjust the fulltextsearch java options. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-fulltextsearch-java-options
      # NEXTCLOUD_DATADIR: /mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
      # NEXTCLOUD_MOUNT: /mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
      # NEXTCLOUD_UPLOAD_LIMIT: 16G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
      # NEXTCLOUD_MAX_TIME: 3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
      # NEXTCLOUD_MEMORY_LIMIT: 512M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
      # NEXTCLOUD_TRUSTED_CACERTS_DIR: /path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nextcloud container (Useful e.g. for LDAPS) See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
      # NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
      # NEXTCLOUD_ADDITIONAL_APKS: imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
      # NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
      # NEXTCLOUD_ENABLE_DRI_DEVICE: true # This allows to enable the /dev/dri device for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud
      # NEXTCLOUD_ENABLE_NVIDIA_GPU: true # This allows to enable the NVIDIA runtime and GPU access for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if an NVIDIA gpu is installed on the server. See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud.
      # NEXTCLOUD_KEEP_DISABLED_APPS: false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
      SKIP_DOMAIN_VALIDATION: true # This should only be set to true if things are correctly configured. See https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-skip-the-domain-validation
      # TALK_PORT: 3478 # This allows to adjust the port that the talk container is using which is exposed on the host. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
      # WATCHTOWER_DOCKER_SOCKET_PATH: /var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'

#   # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/discussions/575
#   # Alternatively, use Tailscale if you don't have a domain yet. See https://github.com/nextcloud/all-in-one/discussions/6817
#   # Hint: You need to uncomment APACHE_PORT: 11000 above, adjust cloud.example.com to your domain and uncomment the necessary docker volumes at the bottom of this file in order to make it work
#   # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
#   caddy:
#     image: caddy:alpine
#     restart: always
#     container_name: caddy
#     volumes:
#       - caddy_certs:/certs
#       - caddy_config:/config
#       - caddy_data:/data
#       - caddy_sites:/srv
#     network_mode: "host"
#     configs:
#       - source: Caddyfile
#         target: /etc/caddy/Caddyfile
# configs:
#   Caddyfile:
#     content: |
#       # Adjust cloud.example.com to your domain below
#       https://cloud.example.com:443 {
#         reverse_proxy localhost:11000
#       }
    labels:
      - "tsdproxy.enable=true"
      - "tsdproxy.name=next"
      - "tsdproxy.container_port=11000"
    networks:
      - tsdproxy_net

volumes: # If you want to store the data on a different drive, see https://github.com/nextcloud/all-in-one#how-to-store-the-filesinstallation-on-a-separate-drive
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work
  # caddy_certs:
  # caddy_config:
  # caddy_data:
  # caddy_sites:

# Adjust the MTU size of the docker network. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-mtu-size-of-the-docker-network
networks:
  tsdproxy_net:
    external: true
#   nextcloud-aio:
#     name: nextcloud-aio
#     driver_opts:
#       com.docker.network.driver.mtu: 1440

Tsdproxy docker compose.yml

services:
  tsdproxy:
    container_name: tsdproxy
    image: almeidapaulopt/tsdproxy:latest
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - datadir:/data
      - ./config:/config
      - ./keys:/keys/:r
    restart: unless-stopped
    ports:
      - "8081:8080"
    dns:
      - 100.100.100.100
    networks:
      - tsdproxy_net    

volumes:
  datadir:

networks:
  tsdproxy_net:
    external: true

TSDProxy config/tsdproxy.yaml

defaultProxyProvider: default

# docker:
#   local:
#     host: unix:///var/run/docker.sock
#     defaultProxyProvider: default

tailscale:
  providers:
    default:
      authKeyFile: "/keys/ts-tsdproxy.txt"
      controlUrl: https://controlplane.tailscale.com

files:
  services:
    filename: /config/services.yaml
    defaultProxyProvider: default
    defaultProxyAccessLog: true

http:
  hostname: 0.0.0.0
  port: 8080

log:
  level: info
  json: false

proxyAccessLog: true

TSDProxy Services.yaml

next:
  url: http://nextcloud-aio-apache:11000

Steps

It's better if you remove the previous containers and you remove their volumes as well:

docker compose down --volumes
docker rm -f $(docker ps -aq --filter name=^nextcloud-aio --filter name=^nextcloud_aio)
docker volume rm $(docker volume list -q --filter name=^nextcloud-aio --filter name=^nextcloud_aio)
docker network remove nextcloud-aio

Once you have overwritten all of the files create the external network:

docker network create tsdproxy_net

The key part you can skip, but it's more convenient, you can create tailcsale keys at: https://login.tailscale.com/admin/settings/keys

Then you should run both containers.

On Nextcloud follow the procedure and add next.tailXXXX.ts.net. You can change the name of "next", but I suggest you first try it like this just in case.

You should not see the issue that you had because domain validation is off.

Then you should wait until apache has started and you should run the following command:

docker network connect tsdproxy_net nextcloud-aio-apache

And restart the nextcloud-aio-apache container:

docker restart nextcloud-aio-apache

Wait for it to load (can take a while), and you should be greeted with the homepage!!

[mxreyer]

Great, thanks for working that out! Am I right that the essential changes to your the initial approach were to

• put the tsdproxy and nextcloud-aio-apache containers on a common docker network tsdproxy_net
• manually tell tsdproxy to proxy the nextcloud-aio-apache container by adding the services.yaml file?
• disable domain validation via SKIP_DOMAIN_VALIDATION: true?

I have not gone through the whole revised guide but toyed with a test container and a similar services.yaml file and am very optimistic that this solution would work.

I just want to make sure that I fully understand how tsdproxy works, here: Would't it be possible to drop the section

    labels:
      - "tsdproxy.enable=true"
      - "tsdproxy.name=next"
      - "tsdproxy.container_port=11000"

in the Nextcloud compose.yml? After all, tsdproxy does not need to proxy the nextcloud-aio-mastercontainer at all?

[mxreyer]

On top of that, I can also offer an alternative workaround that does not need to SKIP_DOMAIN_VALIDATION. Drawing inspiration from #5439, I put a caddy reverse proxy between tsdproxy and the Nextcloud AIO containers. Tsdproxy connects to caddy, and caddy redirects to the nextcloud-aio-domaincheck or nextcloud-aio-apache container listening to port 11000 on localhost. On top of setting up the caddy container, all I had to do was to set APACHE_IP_BINDING: 0.0.0.0. Here is my setup in detail:

Tsdproxy compose.yaml:

services:
  tsdproxy:
    image: almeidapaulopt/tsdproxy:1
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - datadir:/data
      - ./config:/config
    restart: unless-stopped
    ports:
      - "8081:8080" 

volumes:
  datadir:

Tsdproxy config/tsdproxy.yaml:

defaultproxyprovider: default
docker:
    local:
        host: unix:///var/run/docker.sock
        targethostname: 172.31.0.1
files: {}
tailscale:
    providers:
        default:
            controlurl: https://controlplane.tailscale.com
    datadir: /data/
http:
    hostname: 0.0.0.0
    port: 8080
log:
    level: info
    json: false
proxyaccesslog: true

Caddy compose.yaml:

services:
  caddy:
    image: caddy:latest
    restart: unless-stopped
    volumes:
      - ./conf:/etc/caddy
      - caddy_data:/data
      - caddy_config:/config
    labels:
      - "tsdproxy.enable=true"
      - "tsdproxy.name=next"
      - "tsdproxy.tlsvalidate=false"
      - "tsdproxy.scheme=http"
      - "tsdproxy.container_port=80"
    extra_hosts: 
      - "host.docker.internal:host-gateway"

volumes:
  caddy_data:
  caddy_config:

Caddy conf/Caddyfile:

:80
reverse_proxy host.docker.internal:11000

Nextcloud compose.yaml

services:
  nextcloud-aio-mastercontainer:
    image: ghcr.io/nextcloud-releases/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    network_mode: bridge
    ports:
      - 8080:8080
    environment:
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 0.0.0.0

Then

• start up all containers sudo docker compose up -d
• log into the tsdproxy interface on port 8081 and register the caddy container next
• log into the nextcloud interface on port 8080, submit (e.g.) next.funnyname.ts.net

I hope that this works for other people, too.

[Perseus333]

@m-reyer I'm glad that it worked! I believe you're right on all of your points. Also, that solution without skipping the domain validation is a clever one, although the whole point of this was to avoid Caddy sidecars, but if it works it works. Plus it's also simpler, so kudos for that.

[FatiguedEndUser]

I am running into the issue..
The domain is not reachable on Port 443 from within this container. Have you opened port 443/tcp in your router/firewall? If yes is the problem most likely that the router or firewall forbids local access to your domain. You can work around that by setting up a local DNS-server.

when i put in the web address i got from the third step doing tailscale serve --bg http://127.0.0.1:11000 i got redirected to my Emby docker container.

Im not sure where to go from here. I feel like I am super close to getting this working but i cant get past this damn AIO page.

I should also say i am running immich also. But i looked at the ports of both emby and immich and im not seeing any ports that would conflict.

Any input would be greatly appreciated.

[FatiguedEndUser]

Thank you, I appreciate your help :)

[Perseus333]

Hi, unfortunately I'm not able to replicate the bug, as I've tried again with a fresh install following the guide and it all worked fine for me. Just to double-check, have you tried with all of the suggestions mentioned in troubleshooting? Do any of the logs look out of place, or do you get any different error messages?

I'm sorry but it's hard to debug a something that I cannot reproduce.

[FatiguedEndUser]

Id have to retry again, I followed the other guide you suggested and that functioned pretty well up until the point it said "Open your nextcloud" after downloading the other containers, and started them. The site was unreachable (My next cloud instance). I appreciate the help but at this point im just so over nextcloud. Seems like a good tool and with the upcoming updates looks even cooler. But oh well.. Thanks again.

[faustus1005]

Interestingly, I ran into similar problems. I had to make a few changes to get it working. I disabled port 80/8080 in the yaml, added the DNS settings, changed the binding to 0.0.0.0 and skipped domain validation. After all that I was finally able to get it working. :)

ports:
  #      - 80:80
  #      - 8443:8443
dns:
  - 100.100.100.0  # Tailscale Magic DNS
  - 192.1.1.0       # Host's DNS resolver
  - 8.8.8.8          # Fallback DNS
   APACHE_IP_BINDING: 0.0.0.0
   SKIP_DOMAIN_VALIDATION: true

[lukecheny]

I've been stuck on this for a while. That worked @faustus1005! Thanks so much.

[ilblasco78]

Hi Perseus333, thank you very much for your guide.
If you have also Collabora installed, following all the steps leads to an error with the CODE Server Configuration and office files (*.odt for example) cannot be opened.
Moreover, in NC administration panel, there are several errors related to CODE, as reported as well by other users in previous comments.

I was able to solve these issues by commenting out ports #80 and #8443 in the docker_compose file. I hope this helps.

[Perseus333]

Awesome, I'll add it to the troubleshooting section. Thanks for the contribution!

[dmitryikh]

I think I know why the tailscale domain isn't reachable for some case.

This is due to subtle difference between [1]

tailscale serve --bg http://127.0.0.1:11000

and [2]

tailscale serve --service=svc:nextcloud http://127.0.0.1:11000

The [1] is proposed in this guide and tailscale supports self-referencing in this mode. E.g. one can do curl -vk https://[machine].taildd[number].ts.net:443 just fine on the same host, where the tailscale serve is running.

The [2] is more versatile, as it proposes a new domain name for a service, which is good for running multiple things on the same host.
But in this case tailscale blocks self-referencing, e.g. if one runs curl -vk https://nextcloud.taildd[number].ts.net:443 on the host, the command will time out. That's why nextcloud containers, which are essentially running on the same host, can't call itself using the domain name.

Unfortunately I don't know how to solve it. It seems a deliberate design of service domain names from tailscale.

[Rudi54rv]

Hy @Perseus333,
thanks for the guide.

I set it up according to your instruction but with Tailscale funnel. Means the nextcloud is available on the public internet not just within your tailscale network. Works fine also.
Another point. If i run tailscale as background service ("sudo tailscale funnel --bg ") it's starting on its own if i restart the server. I'm on Linux Kubuntu 24.04 LTS. So in my case no need of creating it as a service (Systemmd).

Also the collabora nextcloud office is working.

thanks and all the best.
RK

[Perseus333]

Awesome! Great to see that it's working.

[dpavle]

Thanks for the guide, really simple and straightforward compared to the previous solution!

Is there a reason the provided service is a oneshot? I suggest making it a simple type and ditching the --bg parameter in the command, letting systemd fully manage the process. On the user side, this lets us do systemctl stop tailscale-serve-nextcloud if there is a need to stop serving the app for whatever reason.

Also, there is no need to spawn an entire bash shell, just the command would work:

[Unit]
Description=Serve Nextcloud backend through Tailscale
After=network.target

[Service]
ExecStart=tailscale serve http://127.0.0.1:11000
Type=simple

[Install]
WantedBy=multi-user.target

[Perseus333]

No, there was no particular reason for oneshot besides that it is what I use, and I saw being used in most of the services that just required running a command. I now realize that type simple is better for this case, since systemd tracks the state.

I also think that removing the --bg flag is a good idea since that was meant just for when you're running it on your own terminal.

And regarding the shell you're totally right, there's no need to.

Thanks for the suggestions and improving the guide! It has been updated accordingly.

[szaimen]

• If nextcloud complains about the validity of the domain, adding the following to the nextcloud docker compose .yml file might help:

services:
    Nextcloud:
+++     dns:
+++         - 100.100.100.100  # Tailscale Magic DNS
+++         - 127.0.0.53       # Host's DNS resolver
+++         - 1.1.1.1          # Fallback DNS

Hi @Perseus333 I thought a bit about this section and I think dns should always be configured globally for all containers to use the 100.100.100.100 upstream dns server by following https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html#:~:text=configure%20dns%20for%20all%20containers. Otherwise dns resolving will not work correvtly afaik.

[coolmanbat2]

My assumption to this was it did use that DNS as reference when starting the containers.

Also, is it not necessary since each container runs locally to the machine and all the network pulling is done through the master container.

[Perseus333]

Hi @Perseus333 I thought a bit about this section and I think dns should always be configured globally for all containers to use the 100.100.100.100 upstream dns server by following https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html#:~:text=configure%20dns%20for%20all%20containers. Otherwise dns resolving will not work correvtly afaik.

The thing is that it works fine without it. I will add it, since it's true that it seems like it's an issue for most people, but for others it works just fine without. I'm not really sure what causes this disparity though.

EDIT: Done.

[szaimen]

@Perseus333 please adjust the dns config based on the link I've send. Setting the dns config only for the mastercontainer will not make it work for the siblng containers. Onky adjusting the daemon.json file like shown in the link will do so.

[coolmanbat2]

Hi everyone,

I've been trying to migrate my setup from cloudflare tunnel to tailscale. I followed through all the steps and managed to get the local address to work in my machine.

However, when I start up my containers. The nextcloud container continuously restarts with a vague error in the logs:

2025-11-20 12:29:56.420 | Connection to nextcloud-aio-redis () 6379 port [tcp/redis] succeeded!
2025-11-20 12:29:56.577 | The initial Nextcloud installation failed.
2025-11-20 12:29:56.577 | For more information about what went wrong, check the logs above.
2025-11-20 12:29:56.577 | Please reset AIO properly and try again.
2025-11-20 12:29:56.577 | See:
2025-11-20 12:29:56.577 |   https://github.com/nextcloud/all-in-one#how-to-properly-reset-the-instance
2025-11-20 12:30:03.194 | Connection to nextcloud-aio-database () 5432 port [tcp/postgresql] succeeded!
2025-11-20 12:30:03.196 | + '[' -f /dev-dri-group-was-added ']'
2025-11-20 12:30:03.197 | ++ find /dev -maxdepth 1 -mindepth 1 -name dri
2025-11-20 12:30:03.202 | + '[' -n '' ']'
2025-11-20 12:30:03.202 | + set +x
2025-11-20 12:30:03.317 | Connection to nextcloud-aio-redis () 6379 port [tcp/redis] succeeded!
2025-11-20 12:30:03.819 | The initial Nextcloud installation failed.
2025-11-20 12:30:03.819 | For more information about what went wrong, check the logs above.
2025-11-20 12:30:03.819 | Please reset AIO properly and try again.
2025-11-20 12:30:03.819 | See:
2025-11-20 12:30:03.819 |   https://github.com/nextcloud/all-in-one#how-to-properly-reset-the-instance

Here's a list of what I tried so far:

1. Reset containers based on instructions from the github link below.
2. In my docker-compose file, changed network mode to bridged.
3. Added DNS category into compose.yaml file, same as what is shown in this guide.

this is my docker-compose file:

services:
  nextcloud:
    image: ghcr.io/nextcloud-releases/all-in-one:latest
    init: true
    container_name: nextcloud-aio-mastercontainer
    restart: always
    network_mode: "bridge"
    ports:
      - "8080:8080"
    dns:
      - 100.100.100.100
      - 127.0.0.53
      - 1.1.1.1
    environment:
      APACHE_PORT: "11000"
      APACHE_IP_BINDING: "127.0.0.1" 
      APACHE_ADDITIONAL_NETWORK: ""
      # SKIP_DOMAIN_VALIDATION: "true"
      # NEXTCLOUD_DATADIR: "/mnt/drive"
      # NEXTCLOUD_MOUNT: "/mnt/"
    volumes:
      # - /mnt/e:/var/www/html/data
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro

volumes:
  nextcloud_aio_mastercontainer:

Is there anything that is missing from my end or am I running around in circles with this?

[nashwannose]

Hello,

The person in this video
explains it much more easily, with clear, step-by-step instructions. I highly recommend it.

[seffyroff]

Hi, thanks so much for this guide - I had previously tried different approaches and had a lot of problems. I followed this guide and everything works great, thank you!

For some possibly useful context for others this is a Ubuntu 24.04 VM hosted on a Proxmox server. All features enabled and working, including community apps.

[Rudi54rv]

Hy seffyroff,

You write all features are working. Is the "talk" feature also working fine?
I thought thats not possible with this tailscale configuration.

Many thanks for answer